isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

For ptrace intercept mode, do not do a policy check for the initial command.

Browse Source 
We can skip the policy check for the execve(2) of the initial command
since it has already been check.  Otherwise, we would log the command
twice.  When using fexecve(2) due to a digest check, there should
be no need to skip the initial command since it will be executed
via execveat(2) not execve(2).  However, on older kernels without
execveat(2), glibc will emulate fexecve(2) using /proc which will
result in the extra log entry.
This commit is contained in:
Todd C. Miller
2022-04-29 13:09:03 -06:00
parent 5d385b3c58
commit 52cacfc302
5 changed files with 21 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/exec_ptrace.c
View File

@@ -623,6 +623,12 @@ ptrace_intercept_execve(pid_t pid, struct intercept_closure *closure)
int argc, envc;
debug_decl(ptrace_intercept_execve, SUDO_DEBUG_UTIL);
/* Do not check the policy if we are executing the initial command. */
if (closure->initial_command != 0) {
closure->initial_command--;
debug_return_bool(true);
}
/* Get the current working directory and execve info. */
if (!getcwd_by_pid(pid, cwd, sizeof(cwd)))
(void)strlcpy(cwd, "unknown", sizeof(cwd));